How To Install Unbound Local DNS Resolver on Ubuntu 20.04

Unbound can be used for recursive and caching DNS servers. For many companies that use their own domain to serve internal application or website can utilize Unbound for that purpose. Unbound can handle IPv4 and IPv6 just fine, depend on your network configuration. If unbound used for company-wide DNS server, it will make the resolution faster for all users because they often query the same domain name time by time, to update DNS propagation we only need to change the server once and every user get the new IP address for their next query.

Install Unbound

First step is to install Unboud from official Repository

sudo apt install unbound -y

Configure Unbound

Unbound file config stored on /etc/unbound/unbound.conf file. We’ll use the unbound as recursive server for LAN, so the devices on LAN will take advantage of Unbound caching for faster DNS resolution. We’ll test the caching part later after everything works.
For my setup, I have the following IP Address:
Ubuntu IP Address: 192.168.88.1
LAN Network: 192.168.88.0/24

Add following on bottom of unbound.conf file

server:
    interface: 127.0.0.1
    interface: SERVER-IP
    # allow recursive and nonrecursive
    access-control: 127.0.0.0/8 allow_snoop
    access-control: 192.168.1.0/24 allow_snoop
 
    verbosity: 0
    hide-identity: yes
    hide-version: yes
    prefetch: yes
    do-ip4: yes
    do-udp: yes
    num-threads: 2

unbound configuration file

Setup Local DNS

Unbound can be used to serve the domain name on a local network. Let say we have 2 services on our LAN and want to serve that using DNS instead of IP Address. We can use any extension even the made-up for example home.atetux

homeserver.atetux on IP 192.168.88.2
jellyfin.atetux on IP 192.168.88.3

open the /etc/unbound/unbound.conf, at the bottom add

include: "/etc/unbound/domain.conf"

create new file /etc/unbound/domain.conf to store the mapping of our domain to IP address.
unbound local domain name

DNS Blocker

if you notice we even can use the unbound as DNS blocker, similar to how Pi-hole work. Add

include: "/etc/unbound/block.conf"

at the bottom of unbound.conf. Unbound using DOMAIN IP address format, for example we’ll block domain ubuntu.com. At /etc/unbound/block.conf add

local-data: "ubuntu.com A 127.0.0.1"

Testing DNS

To test our DNS, we’ll use dig to query some random domain. Run following oneliner script

for a in {1..5}; do dig a kernel.org @127.0.0.1 | grep -w 'Query time'; done

test cache unbound
The first query respond time 24 msec, but after that 0 msec because unbound already cache these result. By default the cache time depend on TTL of domain.

To test blocked domain, query the domain using dig.

dig ubuntu.com @127.0.0.1

dig ubuntu domain

Leave a Reply